Share This Page

Justice Ministers across Europe want to make the creation of "hacking tools" a criminal offense, but critics have hit back at the plans, saying that they are unworkable.

Ministers from all 27 countries of the European Union met on June 9 to discuss European Commission proposals for a directive on attacks against information systems. But in addition to approving the Commission's text, the ministers extended the draft to include "the production and making available of tools for committing offenses".

This is problematic, as much legal and legitimate software could be put to criminal use by hackers. The draft mentions "malicious software designed to create botnets or unrightfully obtained computer passwords," but goes no further in attempting to clarify what "tools" might be subject to criminal sanctions. For example, the distinction between a password cracker and a password recovery tool is not specified. Nor is there any mention of legitimate use for testing. Many tools that could be used for hacking in the wrong hands, are used by system administrators and security consultants to probe for vulnerabilities in corporate systems.

Illegal access, illegal system interference and illegal data interference as well as instigating, aiding, abetting and attempting to commit offences are already crimes under current E.U. law. However, ministers want to harmonize penalties for illegal interception of computer data, and see the imposition of a minimum two-year sentence for the most serious crimes. They also want to oblige member states to collect basic statistical data on cybercrimes and to respond to urgent requests for information by other member states within eight hours.

The creation of hacking tools is already a criminal offense in the United Kingdom under the Computer Misuse Act and in Germany under the 202C law, and is also cited in the Budapest Cybercrime Convention. But if included in an E.U. directive, all 27 member states would be required to ban production of these so-called "tools" in national law.

The introduction of the laws in Germany in 2007 and the U.K. in 2008 met with fierce criticism. In Germany many legitimate websites shut down or moved over fears that they might be prosecuted.

German PHP security professional Stefan Esser wrote on his blog at the time that the law was not clearly written and allows too much interpretation. "While our government says that they do not want to punish, for example, hired penetration testers, this is not written down in the law," Esser wrote.

The ministers' proposals will now be put to the European Parliament, which must approve the text before it can become law. It is likely that MEPs will question some of the ministers' assumptions and will seek to better define what is meant by "tools".

Urgh. Hopefully the relevant people will see the lessons of Germany (the UK has similar but they are considerably weaker) and kick this in the head. Of course that depends on politicos knowing something about computers and if Germany's can not do it I hold out little hope of most others with the possible exception of some of the Nordic countries.

There is not even really a way to call yourself a professional/chartered computer engineer (compared to the likes of medicine, more traditional engineering and other sciences) and hacking courses although starting to appear are not all that formalised or even respected. Although you did not mention it would ask does one have to be a professional hacker- I could just be a network admin (my port scanner is used to see if I accidentally left something open) or even an enthusiastic amateur (calling oneself an engineer and being able to do engineering tasks are quite different).

As for government I hate to break it you but they more or less do what they like.

As for specificity I see it somewhat like drug laws- you can only really ban things as they come up and that is so ineffective it is not funny. I have avoided the phrase dual use technology thus far as well- my hex editor has hacked many things and solved problems many other times, my debugger had hacked many things and solved problems in code, my computer remote control software has been used to fix/use things remotely and can just as easily be used for malicious purposes.
All this "misuse" is arguably covered by existing laws and this is before we even get into the grey area stuff- my debugger has also helped reverse engineer protocols of proprietary technologies which depending on how I gain information and what I do with it can be highly illegal or actually explicitly covered as legal in other laws ("reverse engineering for interoperability" being the choice phrase here).

Because of all this a badly worded law would be a terrible drag on things and that has serious knock on effects.

I would have wagered money on that being the logic used there but that would then making this attempt at legislation a reactionary law to a current bogeyman which err see history. I will note that thus far I have not seen anything from the people responsible for this spelling out or even inferring a link to them which is a good thing in my book although whether it means they have a clue or just have good speed writers/advisers I will leave to others to debate.

I swear, people with power are just sacks of skin drying out waiting to die.

The only thing this law will affect is legitimate security companies; people like lulzsec do not care if it is against the law, they will do it anyways. However, businesses are more out there and any attempt to use these tools to test their own vulnerabilities won't be able to do it.